Nitrokey 3 Alpha Firmware

We have now released a new alpha version 20221130 of the firmware for now all Nitrokey 3 models. Future alpha versions will be available centrally in the Nitrokey 3 firmware repository.

One major difference is the availability for all Nitrokey 3 models, which is also an important step for the codebase. The firmware for the Nitrokey 3A NFC, 3C NFC and 3A Mini will now be built from one codebase, so all models will have the same functionality in the future.

One-time passwords (OTP)

The firmware includes an initial implementation for HOTP and TOTP as a second factor. The current version of the command line tool pynitrokey can be used to use these one-time passwords. A new Nitrokey App 2 is already in development to be able to use one-time passwords conveniently via a graphical user interface (GUI) in the future. Currently you can manage OTPs with the alpha firmware using pynitrokey as follows:

# Register a one-time password with the name 'test':
$ nitropy nk3 otp register --experimental test ABCDEFGHIJKLMNOP
​
# Display all registered OTP entries:
$ nitropy nk3 otp show
​
# Get the one-time password for the name 'test':
$ nitropy nk3 otp get --experimental test# Show help:
$ nitropy nk3 otp --help
$ nitropy nk3 otp register --help# --clear-password & --set-password do not work at the moment

OpenPGP Card

The first alpha version of the OpenPGP Card has been further improved and the current version now supports RSA. In summary, RSA 2048, NIST P256 as well as Ed25519 keys can now be generated and RSA 4096 keys can be imported but not generated. In addition, we have improved the compatibility with OpenSC, as well as fixed numerous minor bugs. Please note, if you update from an earlier alpha firmware you need to factory reset the OpenPGP Card with a specific command, otherwise it won't work properly.

Outlook

Currently, the above functions are only implemented in software and the one-time passwords (or secrets) and cryptographic keys are still stored unencrypted in the microprocessor. Our goal is to integrate the Secure Element (SE050) first with one-time passwords and then with the OpenPGP Card in the next few months. Subscribe to this blog to stay informed about developments.

Short Nitrokey 3 Status Update

Essentially, there is nothing new to report. As mentioned before, we still plan to ship the Nitrokey 3C NFC with new cases starting at the end of this year.

Stay Secure
Your Nitrokey Team

6.12.2022

Comments

I've been using the alpha software on my NK3A for the last two days. OpenPGP works as expected. I have a question, though. You write "cryptographic keys are still stored unencrypted in the microprocessor". So let me ask you: when this is resolved in a new firmware release (in the months to come), will keys be somehow transferred to the secure element or will I lose them when updating firmware? Kind regards, Mateusz
Currently the plan that there will be no migration path. It is also very likely that (some of) the alpha releases on the way will also delete your keys as the underlying storage architecture will undergo various changes - that's one of the reasons we state that the alpha shall not be used for production. We will clearly communicate once we expect the key storage to be stable (this might even be before the OpenPGP Card feature itself will move into stable).
OK, I get it. Thank you for your answer.
This sounds like really great progress, keep up the good work! :)
Hey. Since the Nitrokey 3 is CC EAL 6+ certified, has there been any consideration of getting an official Authenticator Certification Level from the FIDO alliance? They rate various FIDO2 authenticators on their ability to protect the secrets they're holding. This is useful for adoption in governments and perhaps even enterprises. The new generation of keys are supposedly utilizing the SE050 so I think this might play in your favor. fidoalliance.org/certification/authenticator-certification-levels/
Yes, we are currently looking at the options to go for a fido-alliance certification, but no ETA yet
Hey. How many key pairs and passwords exactly can be stored in the NK3 is still unknown, right?
Initially there will only be one identity for OpenPGP Card, later likely more. But you are right, we cannot give numbers yet - we are currently working on the details of the storage concept especially on how the 2MB external flash can be incorporated together with the 50kb available on the SE050.
For alpha testers, is there a special procedure to report bugs/issues or should we just dump things into GitHub issues?
Please report on Github, thanks
Can you please clarify how fido resident keys are stored/protected? Is the security chip used? Will a firmware update erase them?
Currently they are stored exclusively inside the MCU's internal non-volatile memory. The MCUs are sealed and firmwares need to be signed, means there is no way to extract these w/o the signing keys. In the future there will be the option to save them onto the SE050 secure element for a even higher security, but this will come with the drawback that fido2 will not work through NFC (as there is not enough power to bring up the secure element during NFC operation). A firmware update will not delete the RKs.
Is there an ETA for the new app? Or a little peek on how the GUI would look like?
Currently we plan for beginning of 2023, there won't be too much functionality at the beginning - we planning for smaller, faster release cycles with this application to be able to do small (release) steps with constant improvements.
please add a hint to the realease notes / readme that libccid version 1.5 is required source: ccid.apdu.fr / ccid / shouldwork.html otherwise the reset command using opensc-tool will not work
thanks for the hint, will do
Since TOTP and HOTP have been implemented does that mean the NK3 (even if at alpha) can now be used as the OTP key for Heads instead of the Nitrokey Pro2 and the Librem Key?
We are working on that, but there will very likely be the need for a firmware update to support the Nitrokey 3 together with HEADS and the Nitropads. We'll be announcing this once this is possible.
Does that apply only for the HOTP functionality (which I assume is what you need to enable the LIBREM_KEY build option for), or also TOTP? (where you use a QR code) like the Yubikey mentioned in osresearch.net/Prerequisites#usb-security-dongles-aka-security-token-aka-smartcard
The HOTP functionality is quite specific for this use-case. So you are right, the TOTP approach used is afaik a typical TOTP secret which should not differ from any other TOTP. But please take this with a grain of salt, as this is not a typical configuration for us our experience is limited with HEADS & TOTP.
I updated nitropy with pip and loaded firmware 1.2.2 When i try the example from above, i get on my NK3c $ nitropy nk3 otp register --experimental test ABCDEFGHIJKLMNOP Command line tool to interact with Nitrokey devices 0.4.33 Authentication failed with error: "OTPAppException(code=7903/Unknown SW code)" Aborted!
Generally, for purely technical issues please report towards support (at) nitrokey (dot) com, or use Github issues. For specific issues happens because pynitrokey in its latest latest version is not compatible with the alpha firmware anymore, please use 0.4.31 or wait for some more days until we release a new firmware, which will then be compatible with pynitrokey again.
Status updates... we need more gnupg firmware status updates... even if there is no breakthrough surely there is some progress that you can share
There is not too much to report for OpenPGPCard recently, because we are working on the last details and stabilization. After the upcoming stable release there will be an alpha release shortly afterwards with a nearly stable OpenPGPCard, which means inclusion into stable is around the corner then.
For everybody trying the OTP examples from the top of this page: It took me a while to figure out, that the 'otp' subcommand was renamed to 'secrets' (nitropy 0.4.34): github.com/Nitrokey/pynitrokey/commit/8c663a67881d200d0f908a88e8e767494f1fa8c3

Add new comment

Fill in the blank.